Data Processing Addendum

Last Updated: August 2025

This Data Processing Addendum (including its Attachments) (“DPA”) forms part of and is subject to the terms and conditions of the Subscription Services Agreement (the “Agreement”) by and between Customer and Poggio Labs.

  1. SUBJECT MATTER AND DURATION.

    1. Subject Matter. This DPA reflects the Parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Poggio Labs’ execution of the Agreement. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement. If and to the extent language in this DPA or any of its Attachments conflicts with the Agreement, this DPA shall control.

    2. Duration and Survival. This DPA will become legally binding upon the effective date of the Agreement. Poggio Labs will Process Customer Personal Data until the relationship terminates as specified in the Agreement.

  2. DEFINITIONS. For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.

    1. “Customer Personal Data” means Customer Materials that are Personal Data Processed by Poggio Labs on behalf of Customer.

    2. “Data Protection Laws” means the applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.) as amended by the California Privacy Rights Act (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).

    3. “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.

    4. Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

    5. Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Poggio Labs.

    6. Subprocessor(s)” means Poggio Labs’ authorized vendors and third-party service providers that Process Customer Personal Data.

  3. PROCESSING TERMS FOR CUSTOMER PERSONAL DATA.

    1. Documented Instructions. Poggio Labs shall Process Customer Personal Data to provide the Subscription Services in accordance with the Agreement, this DPA, any applicable Order Form, and any instructions agreed upon by the Parties. Poggio Labs will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law.

    2. Authorization to Use Subprocessors. To the extent necessary to fulfill Poggio Labs’ contractual obligations under the Agreement, Customer hereby authorizes Poggio Labs to engage Subprocessors.

    3. Poggio Labs and Subprocessor Compliance. Poggio Labs shall: (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors data protection requirements for Customer Personal Data that are consistent with this DPA; and (ii) remain responsible to Customer for Poggio Labs’ Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data.

    4. Right to Object to Subprocessors. Where required by Data Protection Laws, Poggio Labs will notify Customer prior to engaging any new Subprocessors that Process Customer Personal Data and allow Customer ten (10) days to object. If Customer has legitimate objections to the appointment of any new Subprocessor, the Parties will work together in good faith to resolve the grounds for the objection.

    5. Confidentiality. Any person authorized to Process Customer Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.

    6. Personal Data Inquiries and Requests. Where required by Data Protection Laws, Poggio Labs agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.

    7. CCPA.

      1. Definitions

        1. For purposes of this Section A, the terms “Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Personal Information,” “Processing,” “Sell,” “Service Provider,” “Share,” and “Verifiable Consumer Request” shall have the meanings set forth in the CCPA.

        2. All references to “Personal Data,” “Controller,” “Processor,” and “Data Subject” in this Addendum shall be deemed to be references to “Personal Information,” “Business,” “Service Provider,” and “Consumer” as defined in the CCPA.

      2. Obligations

        1. With respect to Customer Personal Data, the parties acknowledge and agree that Customer is a Business and Poggio Labs is a Service Provider for the purposes of the CCPA (to the extent it applies) and Poggio Labs is receiving Customer Personal Data from Customer in order to provide the Services pursuant to the Agreement, which constitutes a Business Purpose.

        2. Customer shall disclose Customer Personal Data to Poggio Labs only for the limited and specified purposes described in Attachment 1 to this DPA.

        3. Poggio Labs shall not Sell or Share Customer Personal Data.

        4. Poggio Labs shall not retain, use, or disclose Customer Personal Data for any purpose, including a Commercial Purpose, other than as necessary for the specific purpose of performing the Services for Customer pursuant to the Agreement, or as otherwise set forth in the Agreement or as permitted by the CCPA.

        5. Poggio Labs shall not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Poggio Labs and Customer, except where and to the extent permitted by the CCPA.

        6. Poggio Labs shall notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA.

        7. Except and to the extent permitted by the CCPA, Poggio Labs will not combine Customer Personal Data with Personal Information that it receives from, or on behalf of, another party, or that it collects from its own interaction with the Consumer.

        8. Poggio Labs shall comply with all obligations applicable to Service Providers under the CCPA, including by providing Customer Personal Data the level of privacy protection required by CCPA.

    8. In the event that Poggio Labs engages a new sub-processor to assist Poggio Labs in providing the Services to Customer under the Agreement, Poggio Labs shall: (i) notify Customer of such engagement via the notification mechanism described in Section 3(d) of this Addendum at least ten (10) days before enabling a new Sub-Processor; and (ii) enter into a written contract with the Sub-processor requiring Sub-processor to observe all of the applicable requirements set forth in the CCPA.

    9. Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Poggio Labs agrees to provide reasonable assistance to Customer where, in Customer’s judgement, the type of Processing performed by Poggio Labs requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.

    10. Demonstrable Compliance. Poggio Labs agrees to provide information reasonably necessary to demonstrate compliance with this DPA upon Customer’s reasonable request.

    11. Service Optimization. Where permitted by Data Protection Laws, Poggio Labs may Process Customer Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.

  4. INFORMATION SECURITY PROGRAM. Poggio Labs shall implement and maintain commercially reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data.

  5. NOTICE OF SECURITY INCIDENTS. Upon becoming aware of a Security Incident, Poggio Labs agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.

  6. CROSS-BORDER TRANSFERS OF CUSTOMER PERSONAL DATA.

    1. Cross-Border Transfers of Customer Personal Data. Customer authorizes Poggio Labs and its Subprocessors to transfer Customer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.

    2. EEA, Swiss, and UK Standard Contractual Clauses. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Customer to Poggio Labs in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the Parties agree that the transfer shall be governed by Module Two’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Attachment 1 attached hereto, the terms of which are incorporated herein by reference. Each Party’s execution of the Agreement shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.

  7. AUDITS.

    1. Right to Audit; Permitted Audits. In addition to any other audit rights described in the Agreement, Customer and its regulators shall have the right, upon at least 30 days’ prior written notice, to an on-site audit (at a date and time mutually agreed upon) of Poggio Labs' architecture, systems, policies and procedures relevant to the security and integrity of Customer Personal Data, or as otherwise required by a governmental regulator: (i) following any notice from Poggio Labs to Customer of an actual or reasonably suspected Security Incident involving Customer Personal Data; (ii) as required by governmental regulators; and (iii) for compliance purposes, once annually.

    2. Audit Terms. Any audits described in this Section shall be: (i) conducted by Customer or its regulator, or through a third-party independent contractor selected by one of these parties and paid for by Customer; (ii) conducted during reasonable times; (iii) to the extent possible, conducted upon reasonable advance notice (but no less than 30 days’ prior notice) to Poggio Labs; and (iv) of reasonable duration and shall not unreasonably interfere with Poggio Labs' day-to-day operations.

    3. Third Party Auditor. In the event that Customer conducts an audit through a third party independent auditor or a third party accompanies Customer or participates in such audit, such third party shall be required to enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Poggio Labs' and Poggio Labs' customers’ confidential and proprietary information. For the avoidance of doubt, regulators shall not be required to enter into a non-disclosure agreement.

    4. Audit Results. Upon Poggio Labs' request, after conducting an audit, Customer shall notify Poggio Labs of the manner in which Poggio Labs does not comply with any of the applicable security, confidentiality or privacy obligations or Data Protection Laws herein. Upon such notice, Poggio Labs shall make any reasonably necessary changes to ensure compliance with such obligations at its own expense and without unreasonable delay and shall notify Customer when such changes are complete. Notwithstanding anything to the contrary in the Agreement, Customer may conduct a follow-up audit within six 6 months of Poggio Labs' notice of completion of any necessary changes. To the extent that a Poggio Labs audit and/or Customer audit identifies any material security vulnerabilities, Poggio Labs shall remediate those vulnerabilities within a commercially reasonable amount of time of the completion of the applicable audit, unless any vulnerability by its nature cannot be remedied within such time, in which case the remediation must be completed within a mutually agreed upon time.

  8. RIGHTS OF DATA SUBJECTS

    1. Poggio Labs shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s rights of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If Poggio Labs receives a Data Subject Request in relation to Customer Personal Data, Poggio Labs will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Poggio Labs, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.

    2. Poggio Labs shall, at the request of the Customer, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Poggio Labs' assistance and (ii) Poggio Labs is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Poggio Labs

  9. DATA STORAGE AND DELETION

    1. Data Storage. Poggio Labs will not store or retain any Customer Personal Data except as necessary to perform the Services under the Agreement.

    2. Data Deletion. Poggio Labs will abide by the following with respect to deletion of Customer Personal Data:

    3. Within a reasonable amount of time after the Agreement’s expiration or termination, or sooner if requested by Customer, Poggio Labs will securely destroy (per subsection (iii) below) all copies of Customer Personal Data (including automatically created archival copies).

    4. Upon Customer’s request, Poggio Labs will promptly return to Customer a copy of all Customer Personal Data within 30 days and, if Customer also requests deletion of the Customer Personal Data, will carry that out as set forth above.

    5. Customer Personal Data shall be disposed of in a method that prevents any recovery of the data in accordance with industry best practices for shredding of physical documents and wiping of electronic media.

    6. Upon Customer’s request, where permitted by applicable law, Poggio Labs will provide a “Certificate of Deletion” certifying that Poggio Labs has deleted all Customer Personal Data. Poggio Labs will provide the “Certificate of Deletion” within 30 days of Customer’s request.

  10. LIMITATION OF LIABILITY. Each Party’s liability, including the liability of all of its affiliates, arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference to the liability of a Party means the total liability of that Party and all of its affiliates under the Agreement and this Addendum together.

ATTACHMENT 1 TO THE DATA PROCESSING ADDENDUM

This Attachment 1 forms part of the DPA and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Attachment 1 have the meaning set forth in the DPA.

The Parties agree that the following terms shall supplement the Standard Contractual Clauses:

  1. SUPPLEMENTAL TERMS. The Parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must inform data exporter of any new subprocessor in accordance with Section 3(d) of the DPA; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).

  2. ANNEX I. Annex I to the Standard Contractual Clauses shall read as follows:

A. List of Parties

Data Exporter: Customer.

Address: As set forth in the Notices section of the Agreement.

Contact person’s name, position, and contact details: As set forth in the Notices section of the Agreement.

Activities relevant to the data transferred under these Clauses: The Subscription Services.

Role: Controller.

Data Importer: Poggio Labs.

Address: As set forth in the Notices section of the Agreement.

Contact person’s name, position, and contact details: As set forth in the Notices section of the Agreement.

Activities relevant to the data transferred under these Clauses: The Subscription Services.

Role: Processor.

B. Description of the Transfer:

Categories of data subjects whose personal data is transferred: The categories of data subjects are within the control of the Customer and may include individuals about whom data is provided to Poggio Labs by or at the direction of Customer pursuant to the Agreement

Categories of personal data transferred: The categories of Personal Data are within the control of the Controller, to the extent provided to Poggio Labs by or at the direction of the Customer pursuant to the Agreement.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous.

Nature of the processing: Poggio Labs will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, and as further instructed by Customer in its use of the Services. The processing operations are the Services that are used by Customer.

Purpose(s) of the data transfer and further processing: To provide the Subscription Services as described in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: For the duration of the Agreement and 60 days afterward for the return and/or deletion of the personal data.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter, nature and duration identified in the Agreement and the DPA.

C. Competent Supervisory Authority: The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the Parties consistent with the conditions set forth in Clause 13.

D. Additional Data Transfer Impact Assessment Questions:

Will data importer process any personal data under the Clauses about a non-United States person that is “foreign intelligence information” as defined by 50 U.S.C. § 1801(e)?

Not to data importer’s knowledge.

Is data importer subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where personal data is stored or accessed from that would interfere with data importer fulfilling its obligations under the Clauses? For example, FISA Section 702. If yes, please list these laws:

As of the effective date of the DPA, no court has found data importer to be eligible to receive process issued under the laws contemplated by this question, including FISA Section 702, and no such court action is pending.

Has data importer ever received a request from public authorities for information pursuant to the laws contemplated by the question above? If yes, please explain:

No.

Has data importer ever received a request from public authorities for personal data of individuals located in the European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain:

No.

E. Data Transfer Impact Assessment Outcome: Taking into account the information and obligations set forth in the DPA and, as may be the case for a Party, such Party’s independent research, to the Parties’ knowledge, the personal data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the Clauses to a country that has not been found to provide an adequate level of protection under applicable data protection laws is afforded a level of protection that is essentially equivalent to that guaranteed by applicable data protection laws.

F. Clarifying Terms: The Parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Clauses will be provided upon data exporter’s written request; (ii) the measures data importer is required to take under Clause 8.6(c) of the Clauses will only cover data importer’s impacted systems; (iii) the audit described in Clause 8.9 of the Clauses shall be carried out in accordance with Section 7 of the DPA; (iv) where permitted by applicable data protection laws, data importer may engage existing subprocessors using European Commission Decision C(2010)593 Standard Contractual Clauses for Controllers to Processors and such use of subprocessors shall be deemed to comply with Clause 9 of the Clauses; (v) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Clauses will be limited to the termination of the Clauses; (vi) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Clauses; (vii) the information required under Clause 15.1(c) of the Clauses will be provided upon data exporter’s written request; and (viii) notwithstanding anything to the contrary, data exporter will reimburse data importer for all costs and expenses incurred by data importer in connection with the performance of data importer’s obligations under Clause 15.1(b) and Clause 15.2 of the Clauses without regard for any limitation of liability set forth in the Agreement.

  1. ANNEX II. Annex II of the Standard Contractual Clauses shall read as follows:

Technical and Organizational Security Measure

Details

Measures of pseudonymisation and encryption of personal data

Networking between the vendor’s services and the client web application is encrypted, as is data at rest, protected by industry standard authentication and authorization protocols. Our Global Load Balancer is Setup with TLS1.2+ and we use the RESTRICTED SSL policy as defined by Google Cloud. We leverage Google-managed encryption keys for all services we leverage in GCP.

Application users are authenticated via Google Cloud Identity Platform which generates a JWT for the client with RS256 (RSA Signature with SHA-256) to validate the signature of the token.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Poggio’s primary database, firestore, is replicated across multiple regions in the US.

Poggio’s secondary database, Alloydb, is replicated across multiple zones.

Poggio’s backend services are replicated across multiple zones and are automatically load balanced across them.

Poggio’s virtual machines have GCP’s Shielded VM enabled.

Disaster recovery protocols are periodically stress-tested.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

All of Poggio databases support a point-in-time backup (ability to recover data to a second resolution).

Poggio performs an annual disaster recovery review.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Poggio leverages continuous integration to run a set of tests again every code change. Production deploys are gated behind a passing end-to-end test suite.

Poggio has partnered with a vendor to perform annual penetration testing.

Poggio has SOC2 Type II certification.

Measures for user identification and authorization

Poggio leverages GCP’s Identity Platform to power all authentication features, including multi-factor authentication.

Measures for the protection of data during transmission

Poggio leverages GCP’s global load balancer with the RESTRICTED SSL policy.

Measures for the protection of data during storage

Poggio leverages GCP’s default encryption-at-rest

Measures for ensuring physical security of locations at which personal data are processed

Poggio’s data sub-processors restrict physical access to data processing environments.

Measures for ensuring events logging

Poggio leverages GCP’s Cloud Logging as a primary sink for all system logs. LLM traces are hosted separately within Poggio’s infrastructure.

Measures for ensuring system configuration, including default configuration

Poggio uses Terraform, an infrastructure-as-code tool to capture system configuration and track changes.

Measures for internal IT and IT security governance and management

Poggio has established a security team / steering committee with defined management roles and responsibilities, in addition to expertise among the membership of the board of directors. The security team is responsible for establishing and overseeing security controls in accordance with identified risks.

Measures for certification/assurance of processes and products

Annual SOC 2 Type 2 Audit, available upon request from the Poggio Trust Center.

Measures for ensuring data minimisation

Poggio has a policy-defined data classification scheme, which applies to information including, but is not limited to, information that is received, stored, processed, or transmitted via any means. This includes electronic, hardcopy, and any other form of information regardless of the

media on which it resides.

Data classifications are associated with encryption strategies, allowed modes of transmission and access, and necessary legal agreements that need to be in place prior to transmission.

Measures for ensuring data quality

Poggio continually reviews data providers for accuracy and completeness.

Measures for ensuring limited data retention

Customer data is retained for as long as the account is in active status. Data enters an “expired” state when the account

is voluntarily closed. Expired account data will be retained for 60 days. After this period, the account and related data

will be removed. Customers that wish to voluntarily close their account should download their data manually or via the

API prior to closing their account.

If a customer account is involuntarily suspended, then there is a 30 days grace period during which the account will be

inaccessible but can be reopened if the customer meets their payment obligations and resolves any terms of service

violations.

If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is

brought back to good standing so that the user interface will be available for their use. After 60 days, the suspended

account will be closed and the data will be permanently removed thereafter (except when required by law to retain).

Poggio maintains zero-data-retention (ZDR) agreements with 3rd party LLM vendors.

Measures for ensuring accountability

Employees undergo annual training, including security awareness training. In addition, all employees are required to read and acknowledge internal policies upon hire and whenever material changes are made. Risk assessments are performed annually, as are external penetration tests and tests of our incident response protocols.

Measures for allowing data portability and ensuring erasure

See the data retention policy details above for more info.

Technical and organizational measures of sub-processors

Poggio enters into Data Processing Agreements with its Subprocessors with data protection obligations substantially similar to those contained in this DPA.

  1. ANNEX III. A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:

The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.

Table 1: The start date in Table 1 is the effective date of the DPA. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.

Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the DPA.

Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.

Table 4: The Parties agree that Importer may end the UK Addendum as set out in Section 19.

Last updated